Table of Contents
1. Standards of Conduct/Policies and Procedures
The first of the basic compliance elements in industry guidance recommends that the organization establish standards and procedures to prevent and detect criminal conduct.The standards or code of conduct and the policies and procedures become the foundational tools with which you can build your compliance program.
The standards of conduct, first and foremost, demonstrate the organization’s overarching ethical attitude and its organization-wide emphasis on compliance with all applicable laws and regulations. The code is meant for all employees and all representatives of the organization. This includes management, as well as vendors, suppliers, and those who are working on behalf of an organization, which are frequently overlooked groups. From the board of directors to volunteers, everyone must receive, read, understand, and agree to abide by the standards of the code of conduct. For this reason the code should be written plainly and concisely in an accessible style. An easy-to-understand reading level is recommended. Plain and concise does not mean generic, however. The contents of the code of conduct will need to be tailored to the organization’s culture, business, and corporate identity. Also, institutions with a diverse constituency should consider providing the code of conduct in other languages, and/or developed for those with disabilities as appropriate. When providing the code in different translations, the organization should “test” that the translation is accurate with not only the expert who wrote the code in another language but also with a test group of individuals who primarily speak the language in which the code was written.
Establishing an organization-wide code of conduct is a key recommendation of the Organization for Economic Cooperation and Development (OECD), which in 2010, established the “Good Practice Guidance on Internal Controls, Ethics and Compliance.” The OECD’s Working Group on Bribery, which authored the Guidance, urges companies to establish:
1. Strong, explicit and visible support and commitment from senior management to the company’s internal controls, ethics and compliance programs or measures for preventing and detecting foreign bribery;
2. A clearly articulated and visible corporate policy prohibiting foreign bribery…[1]
The OECD’s Guidance is contained in its 2009 Anti-Bribery Convention, an internationally recognized document that has been ratified by its 34 member countries and six non-member countries.[2] While its primary focus is on preventing bribery, the Convention supports compliance programs with a larger focus, stating that its recommendations “should be interconnected with a company’s overall compliance framework.”[3] The code of conduct provides a process for proper decision-making, for doing the right thing. It elevates corporate performance in basic business relationships and confirms that the organization upholds and supports proper compliance conduct. Managers should be encouraged to refer to the code of conduct whenever possible, incorporating elements or standards into performance reviews. Compliance with the standards must be enforced through appropriate discipline when necessary. Disciplinary procedures should be clearly stated in the standards, and the penalty—up to and including dismissal—for serious violations of the standards of conduct must be mentioned and consistently imposed to emphasize the organization’s commitment. (See Element Number 6—Enforcement and Discipline.)
Code of Conduct—Content Checklist
-
Demonstrates an organizational emphasis on compliance with all applicable laws and regulations
-
Is written plainly and concisely so all employees can understand the standards
-
Is translated into other languages and/or disabilities accommodated for, as appropriate
-
Includes frequently asked questions or scenarios based on high risk areas
-
Includes expectations for employees on interactions with other employees, suppliers and clients
-
Includes notice of individual accountability towards reporting potential areas of non compliant conduct
-
Mentions organizational policies without completely restating them
-
Is consistent with company policies and procedures
-
Includes management’s responsibility to explain and enforce the code.
Code of Conduct—Communicating to Employees
-
All employees must receive, read, and understand the standards on an annual basis
-
A supervisor or qualified trainer should explain the standards and answer any questions
-
Employees should attest in writing that they have received, read, and understood the standards
-
Employee compliance with the standards must be enforced through appropriate discipline when necessary
-
Discipline for noncompliance should be stated in the standards.
Code of Conduct—Purpose
-
To present overarching guidelines for employees to follow
-
To confirm that all employees comprehend what is required of them
-
To provide a process for proper reporting of potential non-compliance
-
To provide employees with a rationale for putting standards into every day practice
-
To elevate corporate performance in basic business relationships
-
To confirm that the organization upholds and supports proper compliance conduct.
(See Appendix A.1, Sample Letter to Vendors.)
Policies and Procedures
Whereas a code of conduct provides guidelines for business decision-making and behavior, the compliance policies and procedures are specific and address identified areas of risk. Most organizations already have an employee manual that outlines all human resource-related policies and procedures, and they may have other operational policies and procedures specific to certain business practices or operations. Whenever possible compliance policies and procedures should be integrated into existing policies to avoid redundancies and assure there are not contradictory statements in different policies on related topics. All policies within an organization should be consistent with laws, regulations, industry requirements, and general compliance. In fact, as part of the implementation of a compliance program and while in the process of drafting compliance policies and procedures, all other policies within the organization should be reviewed and revised as necessary. While it is imperative that the organization have policies and procedures, it cannot be emphasized enough that the only thing worse than not having a policy is having a policy and not following it.
Develop your policies and procedures carefully. Take care that they are realistic and measurable.
Two types of compliance policies and procedures should be developed by every organization: structural and substantive. The structural policies create the basic framework of how the compliance program will operate. The substantive policies define the applicable regulations that apply to the organization and define how to be compliant in your operations within those regulations. They also indicate the applicable risk areas to an organization and describe what appropriate behaviors are with regard to those risk areas. Both the structural and the substantive policies and procedures are essential to a compliance program so that the rules to which employees will be held and the method for enforcing the rules are clearly explained and documented.
Structural policies and procedures should be developed to address:
-
Directives or mission of the compliance program
-
Revision of existing and creation of new policies and procedures (including distribution and updating requirements)
-
Role of the compliance officer
-
Role of the compliance committee
-
Educational requirements
-
Method for anonymous reporting and non-retaliation for reporting (if applicable to your organization and/or country in which the business is located): It is important to have a clearly stated policy on non-retaliation and non-retribution in the organization. Let everyone know there will be disciplinary consequences if there is retaliation or retribution against an individual who has brought forth potential issues.
-
Auditing processes
-
Monitoring processes
-
Process for responding to reports of possible misconduct
-
Process for responding to internal and external requests for documents or investigations
-
Description of when disciplinary action will be considered, ensuring that to do so is consistent with HR processes and/or policy
-
Record retention/destruction.
Substantive policies and procedures should be developed to address:
-
Process for preventing inappropriate actions in specific risk areas for which there are not already policies to address those areas; e.g., conflict of interest, privacy and security of information, protection of intellectual property, export controls, etc.
-
Documentation requirements.
Policies and procedures, like the code of conduct, must be living documents, not just a binder on a shelf. They must become integral to the day-to-day operation of the organization. That is what forms the basis for an effective compliance program. To determine if that goal is met, consider: How are the policies and procedures applied every day? Are they incorporated into performance reviews? Educational programs? Are they reviewed and updated according to a schedule and on time? Revising policies and procedures is a complex and ongoing process and requires persistence to assure they are current. Again, standards of conduct, policies, and procedures are the tools of compliance, but they must be used and sharpened to be effective.
2. Compliance Officer and Compliance Committee
Industry standards recommend designation of a compliance officer to serve as the focal point for compliance activities. In most cases the position should be a full-time role, depending on the size, scope, and resources of the organization, and its executives will determine the feasibility and scalability of dedicating resources. Also, assigning the compliance officer appropriate authority is critical to the success of the program. On a specific level, for example, the compliance officer must have full authority to access any and all documents that are relevant to compliance activities. This includes documents such as financial statements and supporting documents, contracts with suppliers and agents, and other accounting records. In the big picture, however, “appropriate authority” comes from the unquestionable backing by the CEO and board of directors or its equivalent, the sources of ultimate authority and respect.
To carry out such operational responsibility, such individual(s) should be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.This is logical because it is the board that supported the launch of the compliance initiative and approved the hiring of the compliance officer. Board members may even be actively involved in the interviewing of the compliance officer candidates. They also should be involved in the development of the compliance officer’s job description, and an important part of the compliance officer’s reporting structure.
There is concern and some risk involved in having the compliance officer report to general counsel or to the chief financial officer. This reporting arrangement creates real and/or potential appearance of conflict of interest due to their respective roles with management. Separation of compliance from legal and finance when possible helps ensure that all aspects of the compliance officer’s role will be independent and objective (meaning there is no real or perceived vested interest in the outcome). There are different reporting structures for the compliance officer role, and many variables have to be considered by the organization to determine what works best for the individual organization. However, the dominant theme in industry on the reporting structure has the compliance officer report directly to the organization CEO and/or the internal governing body (e.g., oversight committee, supervisory board, administrative body, board of directors, audit committee) to maintain their real and/or perceived independence. The size and setting of your organization will influence its reporting structure. It is recommended that the board or its liaison committee have, at minimum, a “dotted line” or indirect reporting relationship with the compliance officer. See below a snapshot view of compliance officer reporting structures, from a 2010 survey conducted by the Society of Corporate Compliance and Ethics and the Health Care Compliance Association.
Compliance Officer Reporting Structures[4]
To Whom Compliance Officer Reports | Type of Organization in Which Respondent Works | Total | |||
---|---|---|---|---|---|
For profit, publicly traded | For profit, privately held | Non-profit | NUMBER | PERCENT | |
Board | 51 | 65 | 227 | 343 | 54.3% |
Chief Executive Officer | 15 | 38 | 96 | 149 | 23.6 % |
Chief Financial Officer | 4 | 3 | 7 | 14 | 2.2% |
General Counsel | 23 | 16 | 17 | 56 | 8.9% |
Human Resources | 0 | 1 | 2 | 3 | 0.5% |
Audit | 0 | 0 | 6 | 6 | 0.9% |
Other | 4 | 19 | 37 | 60 | 9.5% |
The compliance officer’s duties also will vary depending on size and scope of the program. The main focus of the position should be the implementation, administration, and oversight of the compliance program. Primary responsibilities should include the following:
-
Designing, implementing, overseeing, and monitoring the compliance program
-
Reporting on a regular basis to the organization’s governing body, CEO, and compliance committee
-
Revising the compliance program periodically as appropriate
-
Developing, coordinating, and participating in a multifaceted educational and training program
-
Ensuring that those we do business with are aware of the organization’s compliance program requirements
-
Serving as a source of compliance-related information for employees, management, suppliers, and the board
-
Ensuring that appropriate background checks are conducted
-
Assisting with internal compliance review and monitoring activities
-
Assuring management has mechanisms in place to mitigate risks
-
Independently investigating matters related to compliance
-
Assuring management takes corrective action to resolve the noncompliance problems identified
-
Assuring the organization has given employees a mechanism for reporting potential issues.
The compliance officer is a unique position requiring an individual who understands the nature of the business or industry, is capable of understanding and questioning practices in the organization, including financial areas, is knowledgeable of applicable legal requirements that may be imposed in the industry for wrongdoing, has strong written and verbal communication skills, and is approachable. Whatever the tenure or the educational level, the compliance officer, as “focal point” of the program, must be a person respected and trusted throughout the organization. Strong interpersonal skills, good listening abilities, and discretion are mandatory. (See Appendix A.4, Sample Compliance Officer Job Description.)
As compliance has grown and matured as a profession, it has, like other professions, sought to identify and distinguish those in the field who have, with experience and education, achieved the necessary skill set to be an effective compliance officer.
Moreover, compliance officers are also stewards of a public trust, and therefore the services provided must be of the highest standards of professionalism, integrity, and competence. The Code of Ethics for Compliance Professionals (see Appendix B) addresses three principles, which are broad standards of an inspirational nature. They include:
Principle I: Obligations to the Public—Compliance and ethics professionals (CEPs) should abide by and promote compliance with the spirit and the letter of the law governing their employing organization’s conduct and exemplify the highest ethical standards in their professional conduct in order to contribute to the public good.
Principle II: Obligations to the Employing Organization—Compliance and ethics professionals (CEPs) should serve their employing organizations with the highest sense of integrity, exercise unprejudiced and unbiased judgment on their behalf, and promote effective compliance and ethics programs.
Principle III: Obligation to the Profession—Compliance and ethics professionals (CEPs) should strive, through their actions, to uphold the integrity and dignity of the profession, to advance the effectiveness of compliance and ethics programs, and to promote professionalism in compliance and ethics.
These principles and the accompanying rules of conduct should be reviewed and studied—and adhered to—by all compliance officers.
The compliance officer may be the focal point of a compliance program, but he or she cannot be the only point, nor does this role “assure” compliance for the organization. It is important that the compliance officer have support from the governing body through their engagement and involvement in a board oversight committee. This committee’s role is to understand and provide guidance on the compliance program efforts, ask appropriate questions related to management’s ability to address and mitigate compliance risk and assure that the compliance officer and the compliance program are adequately addressing areas of compliance risk for the organization.
Industry has demonstrated that the formation of a management compliance committee can be an effective addition to the program, although the specific composition of the committee may vary. The committee will benefit from having varying perspectives such as operations, finance, audit, risk management, human resources, and legal, as well as employees and managers of key operating units. This committee will assist the compliance officer in ensuring effective mechanisms are in place to mitigate risk areas, real and/or potential.
The compliance officer’s role with the compliance committee can also vary. In some organizations the compliance officer sits ex officio. In others, the compliance officer may even chair the committee. Regardless of who chairs the committee, the compliance department commonly is responsible for scheduling meetings, preparing the agenda, taking and distributing minutes, and coordinating follow-up.
Management compliance committee functions, in addition to aiding and supporting the compliance officer, can include:
-
Analyzing legal requirements, along with counsel on the committee and specific risk areas
-
Regularly reviewing and assessing the accuracy of and adherence to policies and procedures
-
Assisting with the development of standards of conduct and policies and procedures
-
Monitoring internal systems related to standards, policies, and procedures
-
Reviewing industry guidance and new information regularly and integrating it into the compliance program
-
Determining the appropriate strategy to promote compliance
-
Developing a system to solicit, evaluate, and respond to complaints and problems.
The importance and potential influence of the management compliance committee cannot be overstated. Look for committed individuals who will be strong, visible, and vocal advocates for the compliance program. Furthermore, the committee should be composed of individual representatives of each unique department in the organization so that they can communicate to the rest of the committee and the compliance officer on compliance activities and risk areas within their department. The members are also important in providing communication back to their respective departments on the organization’s compliance requirements. The committee is a vital source of information both to the compliance officer and the rest of the organization.